You can’t outsource accountability—the words of Gurbir Grewal, SEC’s Director of Enforcement, landed like a drumbeat. What your firm says, builds, shares, or automates—if it reaches a client or touches decision-making—it’s yours to own. There’s no way around it.
That same year, regulators issued over $5 billion in penalties. These weren’t edge cases. Most stemmed from familiar situations: unverified marketing claims, AI that wrote checks compliance couldn’t cash, and policies that hadn’t seen daylight in years. It was less a wave of new rules and more of a stress test for how well firms upheld the old ones.
And 2025 is not about playing defense but more so about tuning the instrument. If compliance is the rhythm section, it needs to keep time: quietly, steadily, with everyone in sync.
What 2024 Made Obvious, Compliance-wise
A wealth manager let AI draft client summaries. No one checked them.
A fund used WhatsApp to close deals. No archive.
A firm used a decade-old backtest in its pitch deck and presented it as proof of performance.
None of these made headlines because they were bold—they made headlines because they were… painfully easily preventable.
This wasn’t the enforcement version of “Don’t Look Up”: the signals were there. The SEC applied existing laws to modern workflows, and the results told a story: the technology had changed, but the responsibility had not.
Where the SEC Is Aiming in 2025
This year’s exam priorities are like a film we’ve all seen before—AI risk, cyber hygiene, shadow IT—but the sequel is longer, tighter, and more aggressive with plot twists.
What examiners are watching:
- AI tools: If your chatbot suggests an investment product, it’s no longer just a tech issue. It’s marketing. And it’s regulated.
- Cybersecurity: You can’t slap a lock icon on your homepage and call it good. They want logs, penetration tests, and response protocols.
- Off-channel communications: If your team is using Signal and your policy says email only, you have a compliance fiction problem.
- Vendor oversight: Think of it like The Godfather: if they mess up, it’s still your family’s name on the door.
- ESG claims: No more vibes-based reporting. If you say it, support it. If you imply it, clarify it.
How Small Errors Become Big Headlines
A minor miss isn’t always obvious in the moment. Maybe a new employee posts a slide deck without legal review. Perhaps a senior partner uses a workaround to speed up onboarding. Or simply the procedures file gets “updated”… But no one re-reads it.
It adds up. And when the SEC shows up, they don’t just audit what you meant. They audit what you can prove.
Training is often the missing piece. If your team hasn’t seen a live example of a rule violation in the last year, odds are they’ve internalized policy as paperwork, not practice.
Eight Strong Moves for 2025
1. Re-check your marketing, like it’s new
Audit your public content quarterly. Yes, even the About page. Look for outdated disclosures, hyperbolic claims, and anything AI-generated. Annotate changes. Track approvals. Archive everything. You can never archive too much. But too little? Oh, that happens a lot. Let’s hope not for you.
2. Stop assuming your cybersecurity is fine
Quarterly breach simulations. Monthly log reviews. MFA is not just for email but for every system. Ask vendors for SOC 2 updates. Encrypt mobile backups like it’s second nature.
3. Track every AI-generated output used externally
Use tags. Store versions. Require human review before anything hits a client’s inbox. Assume that if a language model wrote it, the SEC might read it.
4. Prepare now for new AML rules
Yes, now. Start verifying beneficial ownership fields now. Audit customer risk ratings. Run a pre-mortem: if FinCEN changed the rule tomorrow, what would break?
5. Scrub your MNPI access lists
Review Slack channels, Zoom meeting invites, and shared drives. Remove stale access. Re-educate employees on what “confidential” means in practice.
6. Get serious about vendor reviews
Request security documentation yearly. Do tabletop exercises where you simulate a breach through a third party. Score vendors on data access, breach response, and last audit.
7. Rethink training
Use short bursts. Real cases. Quiz formats. Ask people what they’ve seen go wrong. Embed compliance into onboarding and offboarding. Make it something people experience and understand, not something they click through and forget.
8. Use tech that gives you receipts
Use a system that tells you who approved what, when, and why. Dashboards aren’t the goal. Traceability is.
What Complacency Actually Costs
We talk about it a lot, but more often than not, the fine is not the biggest cost.
In 2024, a mid-sized firm was fined $1.5 million. The issue? Incomplete email archives. When regulators asked for correspondence related to a client complaint, no one could find it. They weren’t hiding anything; they just didn’t have it.
The fine hurts. But what came after hurt more. Clients left. Prospects pulled back. Their name stayed on page one of Google… for all the wrong reasons.
In psychology, there’s a term for this: “normalization of deviance.” When something technically wrong becomes routine because no one stops it. It becomes the norm. That’s what enforcement often catches: not a crime, but a culture.
Building a Culture That Holds Up
Remember Moneyball? Such a good story. Think about how Billy Beane rebuilt a team by focusing not on stars but on consistency. Compliance isn’t about flashy hires or once-a-year audits. It’s about reps. Small reviews. Weekly checks. Asking annoying questions early. Doing small things that don’t bring joy but lead you to the trophy in the long run.
What things? Build routines that trigger reflection, create shared ownership, and make documentation easy and accessible and part of how people work.
Regulators aren’t the villains; they’re the critics. And the audience is your clients. Your goal isn’t to dazzle but to deliver a system that stands up to scrutiny, no matter the genre.
Long story short, good governance in 2025 means no surprise endings. Just a structure that holds up, scene by scene, even when the credits roll.
